When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK activity, defenders can examine the weaknesses revealed and identify engagement activities to exploit these weaknesses.

By mapping the various Engagement Activities to ATT&CK, defenders can ensure that each activity in the Engage Matrix is driven by observed adversary behavior. In adversary engagement operations, it can be tempting to try to anticipate the adversary’s actions. However, without an extensive understanding of the specific threat, this line of thinking can lead the defender to make incorrect or ineffective decisions. By mapping to ATT&CK, defenders can ensure their chosen engagement activities are appropriate for the target adversary. Each mapping contains the following information:

  • ATT&CK ID & Name – The specific behavior the adversary takes
  • Adversary Vulnerability – The vulnerability that the adversary exposes when they engage in this specific behavior
  • Engagement Activity – The action the defender can employ to take advantage of the adversary’s exposed vulnerability

This document provides an overview of the mapping between Engage and ATT&CK.

Version: 1.0

Last updated: 2/28/2022

Fill out this form to provide feedback on this resource!